xinthose's questions

我正在尝试从 Windows 7（客户端）ping Ubuntu 服务器的网络。Ubuntu 和 Windows 都是另一个具有选项的 OpenVPN 服务器上的客户端client-to-client。客户端可以连接到服务器（获取 IP 地址 10.0.0.50），但无法 ping 服务器网络上的任何地址。我试过这个服务器选项：push "route 10.0.0.0 255.255.255.0 10.2.0.21"，但它不起作用。我在这里想念什么？谢谢你。

Windows 7，客户端，配置

# client config
remote 10.2.0.21 1723
client
proto udp
dev tap
dev-node OpenVPN_Route1
reneg-sec 28800
resolv-retry infinite

# security
remote-cert-tls server
tls-auth "PC71_hamsing_server\\ta.key" 1
ca "PC71_hamsing_server\\ca.crt"
cert "PC71_hamsing_server\\PC71_hamsing_server.crt"
key "PC71_hamsing_server\\PC71_hamsing_server.key"

# connection
nobind
persist-key
persist-tun

# logging
status "C:\\Program Files\\OpenVPN\\log\\Hamsing_Server.log"
log "C:\\Program Files\\OpenVPN\\log\\Hamsing_Server.log"
verb 3
mute 20

Ubuntu 18.04，服务器，配置

# server config (10.0.0.2 is the IP address of br0)
server-bridge 10.0.0.2 255.255.255.0 10.0.0.50 10.0.0.99
;push "route 10.0.0.0 255.255.255.0 10.2.0.21"  # LAN, LAN subnet, OpenVPN IP, metric
port 1723
proto udp
dev tap
reneg-sec 28800
keepalive 10 120

# security
remote-cert-tls client
ca server/ca.crt
tls-auth server/ta.key 0 # 0 on server, 1 on clients, generate with "openvpn --genkey --secret ta.key"
cert server/hamsing_server.crt
key server/hamsing_server.key
dh server/dh2048.pem

# connection
persist-key
persist-tun

# logging
status /var/www/html/logs/vpn/server-status.log
log /var/www/html/logs/vpn/server.log
verb 3
management 127.0.0.1 7656
mute 20

客户端连接到服务器日志

Tue Jul 23 17:02:21 2019 TLS: Initial packet from [AF_INET]10.2.0.21:1723, sid=9bc321ea 96ec878d
Tue Jul 23 17:02:21 2019 VERIFY OK: depth=1, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=EleMech CA, name=EasyRSA, [email protected]
Tue Jul 23 17:02:21 2019 VERIFY KU OK
Tue Jul 23 17:02:21 2019 Validating certificate extended key usage
Tue Jul 23 17:02:21 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Jul 23 17:02:21 2019 VERIFY EKU OK
Tue Jul 23 17:02:21 2019 VERIFY OK: depth=0, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=hamsing_server, name=EasyRSA, [email protected]
Tue Jul 23 17:02:21 2019 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Jul 23 17:02:21 2019 [hamsing_server] Peer Connection Initiated with [AF_INET]10.2.0.21:1723
Tue Jul 23 17:02:22 2019 MANAGEMENT: >STATE:1563919342,GET_CONFIG,,,,,,
Tue Jul 23 17:02:22 2019 SENT CONTROL [hamsing_server]: 'PUSH_REQUEST' (status=1)
Tue Jul 23 17:02:22 2019 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.0.0.2,ping 10,ping-restart 120,ifconfig 10.0.0.50 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: route-related options modified
Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: peer-id set
Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: adjusting link_mtu to 1656
Tue Jul 23 17:02:22 2019 OPTIONS IMPORT: data channel crypto options modified
Tue Jul 23 17:02:22 2019 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 23 17:02:22 2019 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 23 17:02:22 2019 Preserving previous TUN/TAP instance: OpenVPN_Route1
Tue Jul 23 17:02:22 2019 Initialization Sequence Completed
Tue Jul 23 17:02:22 2019 MANAGEMENT: >STATE:1563919342,CONNECTED,SUCCESS,10.0.0.50,10.2.0.21,1723,,

来自客户端的服务器日志

Tue Jul 23 14:56:10 2019 WARNING: file 'server/hamsing_server.key' is group or others accessible
Tue Jul 23 14:56:10 2019 WARNING: file 'server/ta.key' is group or others accessible
Tue Jul 23 14:56:10 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2019
Tue Jul 23 14:56:10 2019 library versions: OpenSSL 1.1.1  11 Sep 2018, LZO 2.08
Tue Jul 23 14:56:10 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:7656
Tue Jul 23 14:56:10 2019 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue Jul 23 14:56:10 2019 Diffie-Hellman initialized with 2048 bit key
Tue Jul 23 14:56:10 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 23 14:56:10 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jul 23 14:56:10 2019 TUN/TAP device tap0 opened
Tue Jul 23 14:56:10 2019 TUN/TAP TX queue length set to 100
Tue Jul 23 14:56:10 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Jul 23 14:56:10 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jul 23 14:56:10 2019 UDPv4 link local (bound): [AF_INET][undef]:1723
Tue Jul 23 14:56:10 2019 UDPv4 link remote: [AF_UNSPEC]
Tue Jul 23 14:56:10 2019 MULTI: multi_init called, r=256 v=256
Tue Jul 23 14:56:10 2019 IFCONFIG POOL: base=10.0.0.50 size=50, ipv6=0
Tue Jul 23 14:56:10 2019 Initialization Sequence Completed
Tue Jul 23 14:56:21 2019 10.2.0.15:61917 TLS: Initial packet from [AF_INET]10.2.0.15:61917, sid=35913f44 fa1e7a5f
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY OK: depth=1, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=EleMech CA, name=EasyRSA, [email protected]
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY KU OK
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 Validating certificate extended key usage
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY EKU OK
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 VERIFY OK: depth=0, C=US, ST=IL, L=Aurora, O=EleMech, OU=Portalogic-Field, CN=PC71_hamsing_server, name=EasyRSA, [email protected]
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_VER=2.4.1
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_PLAT=win
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_PROTO=2
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_NCP=2
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_LZ4=1
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_LZ4v2=1
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_LZO=1
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_COMP_STUB=1
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_COMP_STUBv2=1
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_TCPNL=1
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 peer info: IV_GUI_VER=OpenVPN_GUI_11
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Jul 23 14:56:22 2019 10.2.0.15:61917 [PC71_hamsing_server] Peer Connection Initiated with [AF_INET]10.2.0.15:61917
Tue Jul 23 14:56:22 2019 PC71_hamsing_server/10.2.0.15:61917 MULTI_sva: pool returned IPv4=10.0.0.50, IPv6=(Not enabled)
Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 SENT CONTROL [PC71_hamsing_server]: 'PUSH_REPLY,route-gateway 10.0.0.2,ping 10,ping-restart 120,ifconfig 10.0.0.50 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jul 23 14:56:23 2019 PC71_hamsing_server/10.2.0.15:61917 MULTI: Learn: 00:ff:11:98:b7:4f -> PC71_hamsing_server/10.2.0.15:61917

Ubuntu 服务器网络

root@pal7687-1:/etc/openvpn# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether 00:e0:67:13:94:cc brd ff:ff:ff:ff:ff:ff
3: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000
    link/ether 00:e0:67:13:94:cd brd ff:ff:ff:ff:ff:ff
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:e0:67:13:94:cc brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.2/24 brd 10.0.0.255 scope global noprefixroute br0
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:67ff:fe13:94cc/64 scope link
       valid_lft forever preferred_lft forever
17: tap0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 100
    link/ether f6:13:27:e8:94:89 brd ff:ff:ff:ff:ff:ff
18: tun2: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.2.0.21/16 brd 10.2.255.255 scope global tun2
       valid_lft forever preferred_lft forever
    inet6 fe80::4fb5:d60d:e798:58a6/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

我有一台带有 3 个以太网端口的 PC。我可以通过 eth1 上的 Internet 与其他两个端口共享 Internet。在 aptitude bridge-utils 和 brctl addbr br0 之后，我在 /etc/network/interfaces 上使用以下设置

auto lo br0
 iface lo inet loopback

 iface eth1 inet manual
 iface eth2 inet manual
 iface eth3 inet manual

 iface br0 inet dhcp
        bridge_ports eth1 eth2 eth3

但现在我想给一切静态IP地址

iface br0 inet static
        bridge_ports eth1 eth2 eth3
        address   192.168.10.200
        broadcast 192.168.10.255
        gateway   192.168.10.1
        netmask   255.255.255.0

 iface eth2 inet static
        address   192.168.10.201
        broadcast 192.168.10.255
        gateway   192.168.10.1
        netmask   255.255.255.0

 iface eth3 inet static
        address   192.168.10.202
        broadcast 192.168.10.255
        gateway   192.168.10.1
        netmask   255.255.255.0

我也可以给 eth1 一个静态 IP 地址吗？这就是以太网出现的地方。远程桌面连接时，我连接到 br0 的 IP 地址。但是，此配置无法让我访问 Internet。我不应该保留 iface eth1,2,3 inet 手册行，对吗？